Home > CCNA – Access List Questions

CCNA – Access List Questions

May 1st, 2011 Go to comments

Here you will find answers to CCNA Access list questions

Note: If you are not sure about how to use Access list, please read my Access list tutorial

Question 1

Your boss is learning a CCNA training course, refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two)

accesslist1

access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any

A. source ip address: 192.168.15.5; destination port: 21
B. source ip address: 192.168.15.37 destination port: 21
C. source ip address: 192.168.15.41 destination port: 21
D. source ip address: 192.168.15.36 destination port: 23
E. source ip address: 192.168.15.46; destination port: 23
F. source ip address: 192.168.15.49 destination port: 23

 

Answer: D E

Explanation

First we notice that telnet uses port 23 so only D, E & F can satisfy this requirement.

The purpose of this access-list is to deny traffic from network 192.168.15.32 255.255.255.240 (to find out the subnet mask just convert all bit “0” to “1” and all bit “1” to “0” of the wildcard mask) to telnet to any device. So we need to figure out the range of this network to learn which ip address will be denied.

Increment: 16
Network address: 192.168.15.32
Broadcast address: 192.168.15.47

-> Only 192.168.15.36 (Answer D) & 192.168.15.46 (Answer E) belong to this range so they are the correct answer.

Question 2

Refer to the graphic. It has been decided that PC1 should be denied access to Server. Which of the following commands are required to prevent only PC1 from accessing Server1 while allowing all other traffic to flow normally? (Choose two)

accesslist2

A – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 out
B – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 in
C – Router(config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163
Router(config)# access-list 101 permit ip any any
D – Router(config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.163 0.0.0.0
Router(config)# access-list 101 permit ip any any

 

Answer: B C

 

Question 3

Refer to the exhibit. Why would the network administrator configure RA in this manner?

accesslist3

A. to give students access to the Internet
B. to prevent students from accessing the command prompt of RA
C. to prevent administrators from accessing the console of RA
D. to give administrators access to the Internet
E. to prevent students from accessing the Internet
F. to prevent students from accessing the Admin network

 

Answer: B

Explanation

Although the access-list is used to “permit” network 10.1.1.0/24 but the best answer here is “to prevent students from accessing the command prompt of RA”. From the picture above, we know that 10.1.1.0/24 is the “Admin” network. This access list is applied to “line vty 0 4” so it will permit only Telnet traffic from “Admin” to RA while drop all other traffic (because of the implicit “deny all” command at the end of the access list). Therefore we can deduce that it will “prevent students from accessing the command prompt of RA”.

This access list only filters Telnet traffic (because it is applied to vty line) so it will not prevent or allow anyone to access the Internet -> A, D, E are not correct.

C is not correct as this access list allows administrators to access the console of RA.

F is not correct as this access list does not proceed TCP, UDP or IP traffic so the students still access the Admin network.

(Notice that the “command prompt” here implies telnet as telnet is the only way to remotely access RA)

Question 4

An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?

accesslist4

A. access-list 10 permit 172.29.16.0 0.0.0.255
B. access-list 10 permit 172.29.16.0 0.0.1.255
C. access-list 10 permit 172.29.16.0 0.0.3.255
D. access-list 10 permit 172.29.16.0 0.0.15.255
E. access-list 10 permit 172.29.0.0 0.0.255.255

 

Answer: C

Explanation

Four statements above allow 4 networks (from 172.29.16.0/24 to 172.29.19.0/24) to go through so we can summary them as network 172.29.16.0/22.

/22 = 255.255.252.0 so it equals 0.0.3.255 when converting into wildcard mask -> C is correct.

A, B, D are not correct as their wildcard masks are false. For example:
Answer A allows from 172.29.16.0 to 172.29.16.255
Answer B allows from 172.29.16.0 to 172.29.17.255
Answer D allows from 172.29.16.0 to 172.29.31.255

Both the network address and wildcard mask of answer E are false as it allows the whole major network 172.29.0.0/16 to go through.

Question 5

A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5. What command should be issued to accomplish this task?

A – access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
B – access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
C – access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21
access-list 1 permit ip any any
D – access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list 1 permit ip any any

 

Answer: A

Explanation:

First the question asks to block only Telnet access so the port we have to use is 23 -> C is not correct.

Next we need to block traffic from hosts on the subnet 192.168.1.128/28, which is 192.168.1.128 0.0.0.15 if we convert to wildcard mask (just invert all bits of the subnet mask,from 0 to 1 and from 1 to 0 we will get the equivalent wildcard mask of that subnet mask) -> so B is incorrect

In this case, we have to use extended access list because we need to specify which type of traffic (TCP) and which port (23) we want to block -> so D is incorrect because it uses standard access list.

Question 6

As a network administrator, you have been instructed to prevent all traffic originating on the LAN from entering the R2 router. Which the following command would implement the access list on the interface of the R2 router?

accesslist_blocktraffic

 

A – access-list 101 in
B – access-list 101 out
C – ip access-group 101 in
D – ip access-group 101 out

 

Answer: C

Question 7

The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29 LAN:

access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any

How will the above access lists affect traffic?

A – FTP traffic from 192.169.1.22 will be denied
B – No traffic, except for FTP traffic will be allowed to exit E0
C – FTP traffic from 192.169.1.9 to any host will be denied
D – All traffic exiting E0 will be denied
E – All FTP traffic to network 192.169.1.9/29 will be denied

 

Answer: D

Explanation:

There is always an implicit “deny all” command at the end of every access list, so if an access list doesn’t have any “permit” command, it will block all the traffic.

Note: This access list is applied on outbound direction so only packets exiting E0 will be checked. Packets entering E0 will not be checked and they all are allowed to pass through.

Question 8

The access control list shown in the graphic has been applied to the Ethernet interface of router R1 using the ip access-group 101 in command. Which of the following Telnet sessions will be blocked by this ACL? (Choose two)

accesslist

A – from host PC1 to host 5.1.1.10
B – from host PC1 to host 5.1.3.10
C – from host PC2 to host 5.1.2.10
D – from host PC2 to host 5.1.3.8

 

Answer: B D

Explanation

Below is the simple syntax of an extended access list:

access-list access-list-number {deny | permit} {ip|tcp|udp|icmp} source [source-mask] dest [dest-mask] [eq dest-port]

Notice that this access list is applied to the Ethernet interface of R1 in the “in direction” so in this case, it will filter all the packets originated from E1 network (host PC1 and PC2) with these parameters:

Source network: 5.1.1.8 0.0.0.3 which means 5.1.1.8/252 (just invert all the wildcard bits to get the equivalent subnet mask) -> Packets from 5.1.1.8 to 5.1.1.11 will be filtered.

Destination network: 5.1.3.0 0.0.0.255 which means 5.1.3.0/24-> Packets to 5.1.3.0/24 will be filtered

Therefore packets originated from 5.1.1.8 to 5.1.1.11 and have the destination to the host 5.1.3.x (via Telnet) will be denied.

Question 9

The following configuration line was added to router R1

Access-list 101 permit ip 10.25.30.0 0.0.0.255 any

What is the effect of this access list configuration?
A – permit all packets matching the first three octets of the source address to all destinations
B – permit all packet matching the last octet of the destination address and accept all source addresses
C – permit all packet matching the host bits in the source address to all destinations
D – permit all packet from the third subnet of the network address to all destinations

 

Answer: A

Comments
Comment pages
1 19 20 21 61
  1. ansari
    September 18th, 2013

    hi friends..
    i am having exam of ccna 640-802 in sept 20 so plz any body send me a latest dump i will very thanks full to them
    my email: akhtaransari555@yahoo.com

  2. chan
    September 21st, 2013

    guys can somebody help me with the direct link to packet tracer 6 download, i keep getting redirected

  3. citrix 1 msit
    September 21st, 2013

    is it just me i don’t get number 8…the image doesn’t match what needs to be selected..

  4. Anonymous
    September 23rd, 2013

    @ Tomas on Aug 29.. Referring to Ques 1. – I got the same reasoning as 2/3 of CCNP Guy. /29 = 248 = Block of 8. So 0.0.0.7

  5. pro link building
    September 24th, 2013

    mpoMiz Major thankies for the article.Much thanks again. Really Cool.

  6. Alex
    September 27th, 2013

    Hi guys,

    I was wondering if someone can send me the lastes dump for the ICND2 640-816,.. this is my last attempt to pass this cert. Taking it on sept 30th. any info is greatly appreciated,, my email is Alex9094@msn.com

  7. ka
    October 1st, 2013

    Thanks 9tut……I passed the Cisco CCNA 640-802 exam yesterday 30-sep-2013…………!!! I got ACL 2, EIGRP and VTP. All the best to those who are preparing for the exam….

  8. abel
    October 11th, 2013

    Thanks 9tut, i passed the cisco 200-120 exams today, i had over 90 percent…………….more new questions. came accross access list, netmask and some drag and drop questions

  9. Anonymous
    October 28th, 2013

    download latest dumps from
    9
    t
    u
    t
    .
    c
    o
    m
    x
    a
    .
    c
    o
    m

  10. Anonymous
    January 8th, 2014

    cool i have done ccna cool

  11. mohsen alattas
    January 9th, 2014

    how was the exam easy or difficult

  12. cabby777
    January 23rd, 2014

    In reference to Question 6:
    What is the difference between an access-list and an access-group?
    When do you use a group instead of a list?
    A – access-list 101 in
    C – ip access-group 101 in
    Thanks

  13. Ayad
    March 27th, 2014

    There is no command such as access-list 101 in !!

  14. Wall Cookie
    May 5th, 2014

    Q5:
    Option A and D are synonymous.

    You can use “host” with the host destination IP or you can use the wildcard mask of 0.0.0.0
    Both work the same.
    The “host” statement does not designate a standard access-list statment as there is no destination IP/network in a standard access-list, only the source IP/network.

  15. Anonymous
    August 27th, 2014

    Ola amingos minha mae colocou senha no roteado e nao consigo saber senha sei que ipei 192.168.1.128 alguem pode me ajundar adescobri

  16. Kandy
    January 10th, 2017

    the hanging tree mp3 – myfreemp3.review/search/the-hanging-tree-mp3/
    download free music

  17. Lucky
    January 10th, 2017

    jamies elsewhere discography (mp3) – myfreemp3.review/search/jamies-elsewhere-discography-(mp3)-/
    download free music

Comment pages
1 19 20 21 61
  1. No trackbacks yet.